United Kingdom (UK)

The UK 'National Cyber Security Strategy 2016-2021' was published in November 2016. Its vision is to make the UK secure and resilient to cyber threats, prosperous and confident in the digital world by 2021. To achieve this vision, its objectives are:

Obj. 1 - DEFEND. Protect the UK against evolving cyber threats, respond effectively to incidents, ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves.

Obj. 2 - DETER. Become a hard target for all forms of aggression in cyberspace. Detect, understand, investigate and disrupt hostile action taken against the nation, pursuing and prosecuting offenders. Have the means to take offensive action in cyberspace, should the UK decide to do so.

Obj. 3 - DEVELOP. Create an innovative, growing cyber security industry, underpinned by world-leading scientific research and development. A self-sustaining pipeline of talent will provide the skills to meet national needs across the public and private sectors. Cutting-edge analysis and expertise will enable the UK to meet and overcome future threats and challenges.

INTERNATIONAL ACTION - Invest in partnerships that shape the global evolution of cyberspace in a way that advances wider economic and security interests. Deepen existing links with closest international partners to enhance collective security. Develop relationships with new partners to build their levels of cybersecurity and protect UK interests overseas - bilaterally and multi-laterally, including through the EU, NATO and the UN.

In August 2017, the UK government announced plans to implement the Network and Information Systems (NIS) and to replace existing data protection leglisation with the General Data Protection Regulation (GDPR). The GDPR is also considered a lever for improving cybersecurity within an organisation.

NATIONAL CYBERSECURITY STRATEGY - NIS Capacities

Year of adoption

November 2011. The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world.

For the new strategy 2016-2021, the Government will invest a total of £1.9 billion to achieve 13 strategic outcomes around the pillars of deter, defend, and develop. A proportion of the Defence and Cyber Innovation Fund will be allocated to support innovative procurement in defence and security. The strategy, which is government-led, includes two new cyber innovation centres as part of the drive towards an ecosystem through the development of cutting-edge cyber products and new, dynamic cyber security companies.

The National Cyber Security Centre operates as part of the UK Government Communications Headquarters and provides weekly and annual threat and vulnerability reports: https://www.ncsc.gov.uk/index/report

Implementation and monitoring

While the policies, institutions and initiatives established over this period have helped to establish the UK as a leading global player in cyber security, progress reports reveal the need for increased efforts to address the scale and dynamic nature of cyber threats in a more complex landscape:

Expand the role for Government to ensure national cyber security needs are met, driving co-operation across the public and private sectors and ensuring information sharing. Drive an embedded sustainable approach that is multi-stakeholder and multi-sector oriented.

Support a skills base that can keep pace with and get ahead of the changing threat. Identify and bring on talent earlier in the education system with clearer routes into a profession still in definition.

Use levers such as the forthcoming General Data Protection Regulation (GDPR) to drive up standards of cybersecurity across the economy, including, if required, through regulation. The GDPR will replace existing legislation on data protection.

Expand intelligence and law enforcement focus on threats, to identify, anticipate and disrupt hostile cyber activities through co-operation between intelligence agencies, the Ministry of Defence, the police, the National Crime Agency and in coordination with international partner agencies.

Develop and deploy technology in partnership with industry, including Active Cyber Defence measures, to deepen understanding of the threat, strenghen the security of public and private sector systems and networks, and disrupt malicious activity.

The National Cyber Security Centre (NCSC, established on 1 October 2016) serves as the authority on the UK's cybersecurity environment, sharing knowledge, addressing systematic vulnerabilities and providing leadership on key national cybersecurity issues. The GCHQ (Government Communications Headquarters) is the parent body and can therefore draw on expertise and capabilities to improve the support to the economy and society more widely. Government departments are responsible for implementing cyber security advice.

Success metrics are provided for each of the major actions foreseen in the implementation plan (here we consider those related to capacity building as one of the pillars of the EU Cybersecurity Strategy).

Operational Capacity Building

Operational since October 2016, the UK National Cyber Security Centre (NCSC) provides cyber incident response, replacing CESG (the information security arm of the GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure (CPNI). Law enforcement works closely the NCSC and industry to share the latest criminal threat intelligence to help industry defend itself and mitigate impact.

Developing a world class incident management capability to respond to and reduce the harm from cyber incidents, from those affecting single organisations through to national, large-scale attacks.

Providing communications on how organisations in the public and private sector can deal with cyber security issues, facilitating the sharing of cyber threat information.

Continuing to provide expert sectoral advice to Government and critical sectors like telecommunications, energy and finance, and providing cyber security advice across the UK.

The NCSC is expected to adapt its focus and capabilities to new challenges and lessons learned.

Legal Conditions

The UK (HM) Government has announced plans to:

Implement the EU Directive on Network and Information Systems based on a consultation.

The overall objective is to make the UK the safest place in the world to live and be online. Special emphasis is placed on making sure essential services are prepared for the increasing risk of a cyber-attack. Thus essential services like water, energy, transport and health firms need to be safeguarded against hacking attempts. Firms will also be required to show they have a strategy to cover power failures and environmental disasters.

Adopt the EU General Data Protection Regulation (GDPR). The GDPR will replace the UK's Data Protection Act 1998 from 25 May 2018, giving citizens more control over what happens to personal information under proposals outlined by the government.

The GDPR will considerably strengthen the existing rules and responsibilities around how businesses process and safeguard consumer data. The GDPR will also force organisations to comply with a mandatory breach notification by disclosing a breach within 72 hours. This necessitates understanding and monitoring of threats, making risk management a top priority.

The motivation for the UK government is giving the country one of the most robust, yet dynamic, set of data laws in the world, giving people more control over their data, and requiring more consent for its use.

Proposals included in the bill will:

make it simpler for people to withdraw consent for their personal data to be used.

expand personal data to include IP addresses, DNA and small text files known as cookies.

let people get hold of the information organisations hold on them much more freely.

make re-identifying people from anonymised or pseudonymised data a criminal offence.

Heavy fines will be imposed on organisations failing to comply with the legislation: up to £17m or 4% of global turnover.

Business and public-private partnerships

The 2016-2021 strategy provides for levers and incentives for the UK private sector with government investments aimed at maximising the potential of an innovative UK cyber sector. It also gives more emphasis on the role of government in advising businesses and establishing partnerships to achieve objectives. Specifically, the strategy will:

Ensure that businesses of all sizes and sectors take appropriate steps to protect themselves and their customers from the harm caused by cyber attacks by providing advice and tools that are easy to implement.

Work with market influencers like insurers, regulators and investors to highlight the clear business benefits and pricing of cyber risk for more effective risk management.

Create partnerships with professional standards bodies to move beyond awareness raising to persuade businesses to take action.

Establish the right regulatory framework to manage cyber risks that the market fails to address. The GDPR will be one of the levers used to drive up standards of cyber security.

Campaigns and Schemes:

Cyber Aware campaign (formerly Cyber Streetwise) encourages behavioural changes for businesses and the public on protection in cyberspace. The campaign is currently supported by 128 cross-sector partners (e.g. businesses in retail, leisure, travel and professional services.

Cyber Essentials scheme encourages the implementation of 5 technical controls to protect against the most common internet threats. It serves mainly as a reference to organisations providing services to central and local government, ensuring they comply with the most essential requirements.

Cyber-Security Information Sharing Partnership (CiSP) is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.

The strategy also places greater emphasis on critical infrastructures, particularly the telecommunications sector. The objectives for this sector include:

Working with industry, especially Communications Service Providers (CSPs), to make it significantly harder to attack UK internet services and users, and greatly reduce the prospect of attacks having a sustained impact on the UK. This includes measures to secure the UK's telecommunications and internet routing infrastructure.

Improving the protection of government systems and networks, helping industry to build greater security into the supply chain of Critical National Infrastructures (CNI), making the software ecosystem in the UK more secure, and providing automated protections for government online services to citizens.

The Government will also undertake specific actions, such as:

Working with Communications Service Providers (CSPs) to block malware attacks, for example, by restricting access to specific domains or websites that are known sources of malware: Domain Name System (DNS) blocking/filtering.

Promoting security best practice through multi-stakeholder internet governance organisations such as the Internet Corporation for Assigned Names and Numbers (ICANN), which coordinates the domain name system; the Internet Engineering Task Force (IETF) and the European Regional Internet Registry (RIPE), and engagement with stakeholders in the UN Internet Governance Forum (IGF).

Other capacity-building measures: research and education

The NCSC works with industry, government and academia to build cybersecurity capacity for the next generation of researchers, students and innovation.

Cyber security training in schools: The government Department for Digital, Culture, Media and Sport is investing £20 million to fund cyber security training in schools with the intention of providing nearly 6,000 teenagers with the skills needed not just to protect themselves online, but also to build a future career in the cyber security industry.

Cyber Security Innovation Centre (July 2017): The London-based Centre will be tasked with conducting world-leading research and development into the next generation of security technology. It will receive investments of £14.5 million over a period of 3 years.The government has launched a competition to develop and design the unit. The new centre will bring together both established industry players and new start-ups to collaborate on the development of future security technologies. Through the unit, newly-formed businesses will get access to mentoring services, business support and early-stage growth advice. One of the aims is therefore also to give UK firms access to the latest cyber technology and allow start-ups to get the support they need to develop.

Cyber Security Centre for defence procurement (July 2017): Other capacity-building measures include the establishment of a Cyber Security Centre for defence procurement by the UK Ministry of Defence with an investment cost of £3 million. The centre's objectives are to:

Enable Lockhead Martin to work more closely with UK partners to share knowledge and best practices, undertake research and develop new cyber defence capabilities.

Create new jobs in the area of cybersecurity.

According to UK government spokespeople, this is another example of co-developing solutions to national security risks, where the national strategy helps drive partnerships with industry, including an investment of £10m in a new Cyber Innovation Fund to give start-ups the boost and partners they need.

Risk assessment plan

The 2016-2021 national strategy places much emphasis on risk assessment and management at national level, within the business community and across the public sector. Strategic outcomes at government level include:

Government departments and other bodies are called upon to protect themselves in proportion to their level of risk and to an agreed minimum standard.

Awareness of, and active mitigation of all known internet-facing vulnerabilities in government systems and services.

Strategic outcomes for the business community and among citizens:

Understanding of the level of cyber security across the critical national infrastructure (CNI), with measures in place to intervene as necessary, and drive improvements in the national interest.

The UK has an improving cyber security culture, because organisations and the public understand their cyber risk levels, and understand the cyber hygiene steps they need to take to manage those risks.

Success measures

The 2016-2021 strategy provides for 13 strategic outcomes, each with a set of indicative success metrics to 2021. The strategic outcomes and some of the indicative metrics are summarised below.

The UK has the capability to effectively detect, investigate and counter the threat from the cyber activities of adversaries: Stronger information sharing established with international partners. Improved understanding of threats related to cyber terrorism. Pipeline of skills and expertise for the development and deployment of sovereign ofensive cyber capabilities. Effective sovereign cryptographic capabilities with regard to secret and sensitive information. DETER.

The impact of cybercrime on the UK and its interests is significantly reduced and cyber criminals are deterred from targeting the UK: Dismanteling criminal networks. Improved law enforcement capability, including overseas. Improved early intervention measures. Reduction in low-level cyber offences. DETER & PREVENT.

The UK has the capability to manage and effectively respond to cyber incidents to reduce harm they cause in the UK and counter cyber adversaries: Higher proportion of incidents are reported to the authorities, leading to a better understanding of the size and scale of the threat. Better management of cyber incidents enabled by the NCSC as a centralised incident reporting and response mechanism. Investigating the root causes of attacks at a national level and reducing occurrence of repeated exploitation across multiple sectors. DEFEND

Partnerships with industry on active cyber defence mean that large scale phishing and malware attacks are no longer effective: Large-scale defences against the use of malicious domains, more anti-phishing protection and harder to use other forms of harmful communications. The UK's internet and telecommunications traffic is significantly less vulnerable to rerouting by malicious actors. GCQH, Defence and the National Crime Agency (NCA) capabilities to respond to serious state-sponsored and criminal threats have significantly increased. DEFEND

The UK is more secure as a result of technology products and services having cyber security designed into them and activated by default: Most commodity products and services available in the UK in 2021 make it more secure, because they have security settings enabled by default or security integrated by design. Government services are trusted by the UK public because they are implemented as securely as possible, and fraud levels are within acceptable risk parameters. DEFEND

Government networks and services will be as secure as possible from first implementation. The public will be able to use government digital services with confidence, and trust that their information is safe: Government has in-depth understanding of the level of cyber security risk across the whole of government and the wider public sector. Resilience and effective response to cyber incidents, maintaining functions and recovering quickly. New technologies and digital services deployed by government will be cyber secure by default. All government suppliers meet appropriate cyber security standards. DEFEND

All organisations, large and small, are effectively managing their cyber risk, are supported by high quality advice designed by the NCSC, underpinned by the right mix of regulation and incentives: See risk assessment plan above. DEFEND

There is the right ecosystem in the UK to develop and sustain a cyber security sector that can meet national security demands: Greater than average global growth in the size of the UK cyber sector year on year. Significant increase in investment in early stage companies. DEVELOP

The UK has a sustainable supply of home grown cyber skilled professionals to meet the growing demands of an increasingly digital economy, in both the public and private sectors and defence: Effective and clear entry routes into the cyber-security profession and attractive to a diverse range of people. By 2021 cyber security is taught effectively as an integral part of relevant courses within the education system, from primary to post-graduate level. Cyber security is widely acknowledged as an established profession and has achieved Royal Chartered Status. DEVELOP

The UK is universally acknowledged as a global leader in cyber security research and development, underpinned by high levels of expertise in UK industry and academia: Significant increase in the number of UK companies successfully commercialising academic cyber research, with fewer identified gaps in national research capability. The UK has a reputation as being a global leader in cyber security research and innovation. DEVELOP

The UK government is already planning and preparing for policy implementation in advance of future technologies and threats and is "future proofed": Enhanced international collaboration reduces cyber threat. Common understanding of responsible state behaviour. Increased cyber security of international partners and increased consensus on the benefits of a free, open, peaceful and secure cyberspace. DEVELOP

Threat to UK interests overseas is reduced due to increased international consensus and capability towards responsible state behaviour in a free, open peaceful and secure cyberspace: With the same outcomes as number 11. INTERNATIONAL ACTION & INFLUENCE.

UK Government policies, organisations and structures are simplified to maximise the coherence and effectiveness of the UK's response to the cyber threat: Government cyber security responsibilities are understood and services are accessible. Partners understand how best to interact with Government on cyber security issues. CROSS-CUTTING

Overall assessment/best practices

The NCSC offers a unified source of advice for the Government's cyber security threat intelligence and information assurance. It provides a strong public face against cyber threats, working hand in hand with industry, academia and international partners and acts as a public-facing organisation with reach back to the GCHQ to draw on secret intelligence and world-class technical expertise.

Date of last WISER analysis

August 2017

Compliance with the GDPR and NIS Directive: Report a cyber incident

Report a cyber incident to national CERT/CSIRT

In the event of a cyber security incident, it is important for organisations to check their reporting obligations under data protection legislation and other applicable legislation.

The NCSC provides guidance for UK industry, government departments, the critical national infrastructure and private SMEs. Guidance includes topic-specific reports, infographics and a (regularly updated) glossary: https://www.ncsc.gov.uk/guidance. Alerts and advisories to address cybersecurity issues detected in the UK. In-depth analysis on cyber threats and vulnerabilities: https://www.ncsc.gov.uk/threats.